Centralization Risk in Owner Functions
Description: The contract grants significant power to the owner, who can change the merkle root or rescue tokens at any time without restrictions. This creates a centralization risk where users must trust the owner not to abuse these privileges. Lines 159-165 (set_merkle_root) and lines 167-177 (rescue_tokens) grant powerful capabilities to the owner.
Impact: Users must trust that the owner will not:
Change the merkle root to exclude legitimate users
Rescue tokens that are meant to be claimed by users
Recommended Mitigation:
Implement a timelock mechanism for sensitive owner actions
Consider a multi-signature approach for critical functions
Add restrictions to the rescue_tokens function to ensure it can only rescue tokens that aren't allocated to users:
def rescue_tokens(to: address, amount: uint256):self.onlyOwner()# Get the contract balancecontract_balance: uint256 = extcall IERC20(self.token).balanceOf(self)# Get the total unclaimed amount (requires additional tracking)assert amount <= contract_balance - self.total_allocated_amount, "Cannot rescue allocated tokens"log TokensRescued(to, amount)_success: bool = extcall IERC20(self.token).transfer(to, amount)assert _success, "Transfer failed"
Appeal created
[Invalid] Owner can call rescue_tokens and withdraw users tokens
The `owner` is trusted and the function `rescue_tokens` can be called only by the owner and only in case of emergency. This means the owner will not act maliciously and will not call the function without need. Also, issues realated to the malicious admin actions are invalid according to the CodeHawks documentation: https://support.cyfrin.io/en/articles/10059196-findings-validity
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.